devise-otp 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 40f03e3fee5939da23d1f583390f794a2e4e456a08fd311d53a605e94ba77075
-  data.tar.gz: cc3e95dcebf0186cbb7a5f3552184093dc6e2209e421b359c6384f788f8ccaed
+  metadata.gz: 7ab31b9f7027a1468e535a1ac862c26cfc95891bdf10a618115a66767e1c5d16
+  data.tar.gz: c603692b0be3e3fbd22d4296299ccd0d5b9a42a1f9ab1f4d6cd7186ea3a864a8
 SHA512:
-  metadata.gz: a62beac8100a3f98a60b6b19f279d795d1f942dc0b44b5d7ad345527b315363185439630b3df7e34dce8d0c0bb154329b882965f45cabbb50ff1a93c7c7cdb09
-  data.tar.gz: 651d1dc15b3444db54eb8e2d14d6273858d2ec66ac7feee0ce314085175d5d3722f7062e914979b2b05a647ba8470a873179d962aadcb0657bcf8bd9bd814c66
+  metadata.gz: d7668d8f50ee7704c7b18eff92c16384eb47186ebf646260391686addd2acc9a06f3dcb92ffd7a70f87ec20106acbaa8e2e1cda4d6e1ebaabdc68ad27c80996b
+  data.tar.gz: 47ab6592ff48f37715e61f07e81813d75a99bd2d971a79642051b27fb14efd6de2dcddf71a6d579f4cbd8d0ed379044cb59e80da78683b2573e4cf0e47a1d329

data/.github/workflows/ci.yml

@@ -13,8 +13,6 @@ jobs:
       matrix:
         ruby:
           - '3.1'
-          - '3.0'
-          - '2.7'
 
     steps:
       - name: Checkout

data/.gitignore

@@ -35,8 +35,10 @@ lib/bundler/man
 test/dummy/log/**
 test/dummy/tmp/**
 test/dummy/db/*.sqlite3
+test/dummy/db/*.sqlite3-shm
+test/dummy/db/*.sqlite3-wal
 
 Gemfile.lock
 
 # Generated test files
-tmp/*
+tmp/*

data/CHANGELOG.md

@@ -1,17 +1,60 @@
 # Changelog
 
-## 0.4.0
+## 0.7.0
 
 Breaking changes:
 
-- rename `Devise::Otp` to `Devise::OTP`
-- change `credentials` directory to `otp_credentials`
-- change `tokens` directory to `otp_tokens`
+- Require confirmation token before enabling Two Factor Authentication (2FA) to ensure that user has added OTP token properly to their device
+- Update DeviseAuthenticatable to redirect user (rather than login user) when OTP is enabled
+- Remove OtpAuthenticatable callbacks for setting OTP credentials on create action (no longer needed)
+- Replace OtpAuthenticatable "reset_otp_credentials" methods with "clear_otp_fields!" method
+- Update otp_tokens#edit to populate OTP secrets (rather than assuming they are populated via callbacks in OTPDeviseAuthenticatable module)
+- Repurpose otp_tokens#destroy to disable 2FA and clear OTP secrets (rather than resetting them)
+- Add reset token action and hide/repurpose disable token action
+- Update disable action to preserve the existing token secret
+- Hide button for mandatory OTP
+- Add Refreshable hook, and tie into after\_set\_user calback
+- Utilize native warden session for scoping of credentials\_refreshed\_at and refresh\_return\_url properties
+- Require adding "ensure\_mandatory\_{scope}\_otp! to controllers for mandatory OTP
+- Update locales to support the new workflow
 
-Other improvements:
+### Upgrading
 
-- Fix file permissions
+Regenerate your views with `rails g devise_otp:views` and update locales.
 
-## 0.3.0
+Changes to locales:
+
+- Remove:
+  - otp_tokens.enable_request
+  - otp_tokens.status
+  - otp_tokens.submit
+- Add to otp_tokens scope:
+  - enable_link
+- Move/rename devise.otp.token_secret.reset_\* values to devise.otp.otp_tokens.disable_\* (for consistency with "enable_link")
+  - disable_link
+  - disable_explain
+  - disable_explain_warn
+- Add to new edit_otp_token scope:
+  - title
+  - lead_in
+  - step1
+  - step2
+  - confirmation_code
+  - submit
+- Move "explain" to new edit_otp_token scope
+- Add devise.otp.otp_tokens.could_not_confirm
+- Rename "successfully_reset_creds" to "successfully_disabled_otp"
+
+You can grab the full locale file [here](https://github.com/wmlele/devise-otp/blob/master/config/locales/en.yml).
+
+## 0.6.0
+
+Improvements:
+
+- support rails 6.1 by @cotcomsol in #67
+
+Fixes:
+
+- mandatory otp fix by @cotcomsol in #68
+- remove success message by @strzibny in #69
 
-A long awaited update bringing Devise::OTP from the dead!

data/README.md

@@ -1,6 +1,6 @@
 # Devise::OTP
 
-Devise OTP is a two-factors authentication extension for Devise. The second factor is done using an [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238) Time-Based One-Time Password (TOTP) implemented by the [rotp library](https://github.com/mdp/rotp).
+Devise OTP is a Two-Factor Authentication extension for Devise. The second factor is done using an [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238) Time-Based One-Time Password (TOTP) implemented by the [rotp library](https://github.com/mdp/rotp).
 
 It has the following features:
 
@@ -15,7 +15,11 @@ Some of the compatible token devices are:
 
 Device OTP was recently updated to work with Rails 7 and Turbo.
 
-## Two-factors authentication using OTP
+## Sponsor
+
+Devise::OTP development is sponsored by [Business Class](https://businessclasskit.com/) Rails SaaS starter kit. If you don't want to setup OTP yourself for your new project, consider starting one on Business Class.
+
+## Two-Factor Authentication using OTP
 
 * A shared secret is generated on the server, and stored both on the token device (e.g. the phone) and the server itself.
 * The secret is used to generate short numerical tokens that are either time or sequence based.
@@ -90,6 +94,12 @@ The install generator adds some options to the end of your Devise config file (`
 * `config.otp_issuer`: The name of the token issuer, to be added to the provisioning url. Display will vary based on token application. (defaults to the Rails application class)
 * `config.otp_controller_path`: The view path for Devise OTP controllers. The default being 'devise' to match Devise default installation.
 
+## Mandatory OTP
+Enforcing mandatory OTP requires adding the ensure\_mandatory\_{scope}\_otp! method to the desired controller(s) to ensure that the user is redirected to the Enable Two-Factor Authentication form before proceeding to other parts of the application. This functions the same way as the authenticate\_{scope}! methods, and can be included inline with them in the controllers, e.g.:
+
+    before_action :authenticate_user!
+    before_action :ensure_mandatory_user_otp!
+
 ## Authors
 
 The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/).

data/app/controllers/devise_otp/devise/otp_credentials_controller.rb

@@ -5,45 +5,31 @@ module DeviseOtp
 
       prepend_before_action :authenticate_scope!, only: [:get_refresh, :set_refresh]
       prepend_before_action :require_no_authentication, only: [:show, :update]
+      before_action :set_challenge, only: [:show, :update]
+      before_action :set_recovery, only: [:show, :update]
+      before_action :set_resource, only: [:show, :update]
+      before_action :set_token, only: [:update]
+      before_action :skip_challenge_if_trusted_browser, only: [:show, :update]
 
       #
       # show a request for the OTP token
       #
       def show
-        @challenge = params[:challenge]
-        @recovery = (params[:recovery] == "true") && recovery_enabled?
-
-        if @challenge.nil?
-          redirect_to :root
-        else
-          self.resource = resource_class.find_valid_otp_challenge(@challenge)
-          if resource.nil?
-            redirect_to :root
-          elsif @recovery
-            @recovery_count = resource.otp_recovery_counter
-            render :show
-          else
-            render :show
-          end
+        if @recovery
+          @recovery_count = resource.otp_recovery_counter
         end
+
+        render :show
       end
 
       #
       # signs the resource in, if the OTP token is valid and the user has a valid challenge
       #
       def update
-        resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
-        recovery = (params[resource_name][:recovery] == "true") && recovery_enabled?
-        token = params[resource_name][:token]
-
-        if token.blank?
+        if @token.blank?
           otp_set_flash_message(:alert, :token_blank)
-          redirect_to otp_credential_path_for(resource_name, challenge: params[resource_name][:challenge],
-            recovery: recovery)
-        elsif resource.nil?
-          otp_set_flash_message(:alert, :otp_session_invalid)
-          redirect_to new_session_path(resource_name)
-        elsif resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+          redirect_to otp_credential_path_for(resource_name, challenge: @challenge, recovery: @recovery)
+        elsif resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
           sign_in(resource_name, resource)
 
           otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
@@ -51,7 +37,7 @@ module DeviseOtp
           respond_with resource, location: after_sign_in_path_for(resource)
         else
           otp_set_flash_message :alert, :token_invalid
-          redirect_to new_session_path(resource_name)
+          render :show
         end
       end
 
@@ -78,10 +64,41 @@ module DeviseOtp
 
       private
 
+      def set_challenge
+        @challenge = params[:challenge]
+
+        unless @challenge.present?
+          redirect_to :root
+        end
+      end
+
+      def set_recovery
+        @recovery = (recovery_enabled? && params[:recovery] == "true")
+      end
+
+      def set_resource
+        self.resource = resource_class.find_valid_otp_challenge(@challenge)
+
+        unless resource.present?
+          otp_set_flash_message(:alert, :otp_session_invalid)
+          redirect_to new_session_path(resource_name)
+        end
+      end
+
+      def set_token
+        @token = params[:token]
+      end
+
+      def skip_challenge_if_trusted_browser
+        if is_otp_trusted_browser_for?(resource)
+          sign_in(resource_name, resource)
+          otp_refresh_credentials_for(resource)
+          redirect_to after_sign_in_path_for(resource)
+        end
+      end
+
       def done_valid_refresh
         otp_refresh_credentials_for(resource)
-        otp_set_flash_message :success, :valid_refresh if is_navigational_format?
-
         respond_with resource, location: otp_fetch_refresh_return_url
       end
 

data/app/controllers/devise_otp/devise/otp_tokens_controller.rb

@@ -19,24 +19,33 @@ module DeviseOtp
         end
       end
 
+      #
+      # Displays the QR Code and Validation Token form for enabling the OTP
+      #
+      def edit
+        resource.populate_otp_secrets!
+      end
+
       #
       # Updates the status of OTP authentication
       #
       def update
-        enabled = params[resource_name][:otp_enabled] == "1"
-        if enabled ? resource.enable_otp! : resource.disable_otp!
+        if resource.valid_otp_token?(params[:confirmation_code])
+          resource.enable_otp!
           otp_set_flash_message :success, :successfully_updated
+          redirect_to action: :show
+        else
+          otp_set_flash_message :danger, :could_not_confirm
+          render :edit
         end
-
-        render :show
       end
 
       #
       # Resets OTP authentication, generates new credentials, sets it to off
       #
       def destroy
-        if resource.reset_otp_credentials!
-          otp_set_flash_message :success, :successfully_reset_creds
+        if resource.disable_otp!
+          otp_set_flash_message :success, :successfully_disabled_otp
         end
 
         redirect_to action: :show
@@ -85,6 +94,15 @@ module DeviseOtp
         end
       end
 
+      def reset
+        if resource.disable_otp!
+          resource.clear_otp_fields!
+          otp_set_flash_message :success, :successfully_reset_otp
+        end
+
+        redirect_to action: :edit
+      end
+
       private
 
       def ensure_credentials_refresh

data/app/views/devise/otp_credentials/show.html.erb

@@ -3,21 +3,21 @@
 
 <%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_credential], :html => { :method => :put, "data-turbo" => false }) do |f| %>
 
-  <%= f.hidden_field :challenge, {:value => @challenge} %>
-  <%= f.hidden_field :recovery, {:value => @recovery} %>
+  <%= hidden_field_tag :challenge, @challenge %>
+  <%= hidden_field_tag :recovery, @recovery %>
 
   <% if @recovery %>
     <p>
-      <%= f.label :token, I18n.t('recovery_prompt', :scope => 'devise.otp.submit_token') %><br />
-      <%= f.text_field :otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
+      <%= label_tag :token, I18n.t('recovery_prompt', :scope => 'devise.otp.submit_token') %><br />
+      <%= text_field_tag :otp_recovery_counter, resource.otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
     </p>
   <% else %>
     <p>
-      <%= f.label :token, I18n.t('prompt', :scope => 'devise.otp.submit_token') %><br />
+      <%= label_tag :token, I18n.t('prompt', :scope => 'devise.otp.submit_token') %><br />
     </p>
   <% end %>
 
-  <%= f.text_field :token, :autocomplete => :off, :autofocus => true, :size => 6, :value => '' %><br>
+  <%= text_field_tag :token, nil, :autocomplete => :off, :autofocus => true, :size => 6 %><br>
 
   <%= label_tag :enable_persistence do %>
     <%= check_box_tag :enable_persistence, true, false %> <%= I18n.t('remember', :scope => 'devise.otp.general') %>

data/app/views/devise/otp_tokens/_token_secret.html.erb

@@ -1,5 +1,4 @@
 <h3><%= I18n.t('title', :scope => 'devise.otp.token_secret') %></h3>
-<p><%= I18n.t('explain', :scope => 'devise.otp.token_secret') %></p>
 
 <%= otp_authenticator_token_image(resource) %>
 
@@ -8,11 +7,11 @@
   <code><%= resource.otp_auth_secret %></code>
 </p>
 
-<p><%= button_to I18n.t('reset_otp', :scope => 'devise.otp.token_secret'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" } %></p>
+<p><%= button_to I18n.t('reset_link', :scope => 'devise.otp.otp_tokens'), reset_otp_token_path_for(resource), :method => :post , :data => { "turbo-method": "POST" } %></p>
 
 <p>
-  <%= I18n.t('reset_explain', :scope => 'devise.otp.token_secret') %>
-  <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.token_secret') %></strong>
+  <%= I18n.t('reset_explain', :scope => 'devise.otp.otp_tokens') %>
+  <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.otp_tokens') %></strong>
 </p>
 
 <%- if recovery_enabled? %>

data/app/views/devise/otp_tokens/edit.html.erb

@@ -0,0 +1,26 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.edit_otp_token') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<h2><%= I18n.t('lead_in', :scope => 'devise.otp.edit_otp_token') %></h2>
+
+<p><%= I18n.t('step_1', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p>
+  <strong><%= I18n.t('manual_provisioning', :scope => 'devise.otp.token_secret') %>:</strong>
+  <code><%= resource.otp_auth_secret %></code>
+</p>
+
+<p><%= I18n.t('step_2', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<%= form_with(:url => [resource_name, :otp_token], :method => :put) do |f| %>
+
+  <p>
+    <%= f.label :confirmation_code, I18n.t('confirmation_code', :scope => 'devise.otp.edit_otp_token') %>
+    <%= f.text_field :confirmation_code %>
+  </p>
+
+  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<% end %>

data/app/views/devise/otp_tokens/show.html.erb

@@ -1,21 +1,14 @@
 <h2><%= I18n.t('title', :scope => 'devise.otp.otp_tokens') %></h2>
-<p><%= I18n.t('explain', :scope => 'devise.otp.otp_tokens') %></p>
 
-<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put, "data-turbo" => false }) do |f| %>
-
-  <%= render "devise/shared/error_messages", resource: resource %>
-
-  <h3><%= I18n.t('enable_request', :scope => 'devise.otp.otp_tokens') %></h3>
-
-  <p>
-    <%= f.label :otp_enabled, I18n.t('status', :scope => 'devise.otp.otp_tokens') %><br />
-    <%= f.check_box :otp_enabled %>
-  </p>
-
-  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.otp_tokens') %></p>
-<% end %>
+<p><strong>Status:</strong> <%= resource.otp_enabled? ? "Enabled" : "Disabled" %></p>
 
 <%- if resource.otp_enabled? %>
   <%= render :partial => 'token_secret' if resource.otp_enabled? %>
   <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
+
+  <% unless otp_mandatory_on?(resource) %>
+    <%= button_to I18n.t('disable_link', :scope => 'devise.otp.otp_tokens'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" } %>
+  <% end %>
+<% else %>
+  <%= link_to I18n.t('enable_link', :scope => 'devise.otp.otp_tokens'), edit_otp_token_path_for(resource) %>
 <% end %>

data/config/locales/en.yml

@@ -5,12 +5,13 @@ en:
         remember: Remember me
       submit_token:
         title: 'Check Token'
-        explain: "You're getting this because you enabled two-factors authentication on your account"
-        prompt: 'Please enter your two-factors authentication token:'
+        explain: "You're getting this because you enabled Two-Factor Authentication on your account"
+        prompt: 'Please enter your Two-Factor Authentication token:'
         recovery_prompt: 'Please enter your recovery code:'
         submit: 'Submit Token'
         recovery_link: "I don't have my device, I want to use a recovery code"
       otp_credentials:
+        otp_session_invalid: Session invalid. Please start again.
         token_invalid: 'The token you provided was invalid.'
         token_blank: 'You need to type in the token you generated with your device.'
         need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
@@ -21,22 +22,22 @@ en:
         explain: 'In order to ensure this is  safe, please enter your password again.'
         go_on: 'Continue...'
         identity: 'Identity:'
-        token: 'Your two-factors authentication token'
+        token: 'Your Two-Factor Authentication token'
       token_secret:
         title: 'Your token secret'
         explain: 'Take a photo of this QR code with your mobile'
         manual_provisioning: 'Manual provisioning code'
-        reset_otp: 'Reset your Two Factors Authentication status'
-        reset_explain: 'This will reset your credentials, and disable two-factors authentication.'
-        reset_explain_warn: 'You will need to enroll your mobile device again.'
       otp_tokens:
-        title: 'Two-factors Authentication:'
-        explain: 'Two factors authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
-        enable_request: 'Would you like to enable Two Factors Authenticator?'
-        status: 'Enable Two-Factors Authentication.'
-        submit: 'Continue...'
-        successfully_updated: 'Your two-factors authentication settings have been updated.'
-        successfully_reset_creds: 'Your two-factors credentials has been reset.'
+        title: 'Two-Factor Authentication:'
+        enable_link: 'Enable Two-Factor Authentication'
+        disable_link: 'Disable Two-Factor Authentication'
+        reset_link: 'Reset Token Secret'
+        reset_explain: 'Resetting your token secret will temporarilly disable Two-Factor Authentication.'
+        reset_explain_warn: 'To re-enable Two-Factor Authentication, you will need to re-enroll your mobile device with the new token secret.'
+        successfully_updated: 'Your Two-Factor Authentication settings have been updated.'
+        could_not_confirm: 'The Confirmation Code you entered did not match the QR code shown below.'
+        successfully_disabled_otp: 'Two-Factor Authentication has been disabled.'
+        successfully_reset_otp: 'Your token secret has been reset. Please confirm your new token secret below.'
         successfully_set_persistence: 'Your device is now trusted.'
         successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
         successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
@@ -48,9 +49,17 @@ en:
           code: 'Recovery Code'
           codes_list: 'Here is the list of your recovery codes'
           download_codes: 'Download recovery codes'
+      edit_otp_token:
+        title: 'Enable Two-factor Authentication'
+        explain: 'Two-Factor Authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
+        lead_in: 'To Enable Two-Factor Authentication:'
+        step_1: '1. Open your authenticator app and scan the QR code shown below:'
+        step_2: '2. Enter the 6-digit code shown in your authenticator app below:'
+        confirmation_code: "Confirmation Code"
+        submit: 'Continue...'
       trusted_browsers:
         title: 'Trusted Browsers'
-        explain: 'If you set your browser as trusted, you will not be asked to provide a Two-factor authentication token when logging in from that browser.'
+        explain: 'If you set your browser as trusted, you will not be asked to provide a Two-Factor Authentication token when logging in from that browser.'
         browser_trusted: 'Your browser is trusted.'
         browser_not_trusted: 'Your browser is not trusted.'
         trust_remove: 'Remove this browser from the list of trusted browsers'

data/devise-otp.gemspec

@@ -14,17 +14,16 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.require_paths = ["lib"]
 
-  gem.add_runtime_dependency "rails", ">= 7.0", "< 7.2"
+  gem.add_runtime_dependency "rails", ">= 6.1", "< 7.2"
   gem.add_runtime_dependency "devise", ">= 4.8.0", "< 5.0"
   gem.add_runtime_dependency "rotp", ">= 2.0.0"
 
   gem.add_development_dependency "capybara"
-  gem.add_development_dependency "cuprite"
   gem.add_development_dependency "minitest-reporters", ">= 0.5.0"
   gem.add_development_dependency "puma"
   gem.add_development_dependency "rdoc"
   gem.add_development_dependency "shoulda"
   gem.add_development_dependency "sprockets-rails"
-  gem.add_development_dependency "sqlite3"
+  gem.add_development_dependency "sqlite3", "~> 1.4"
   gem.add_development_dependency "standardrb"
 end

data/lib/devise/strategies/database_authenticatable.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Default strategy for signing in a user, based on their email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
+        hashed = false
+
+        if validate(resource){ hashed = true; resource.valid_password?(password) }
+          if otp_challenge_required_on?(resource)
+            # Redirect to challenge
+            challenge = resource.generate_otp_challenge!
+            redirect!(otp_challenge_url, {:challenge => challenge})
+          else
+            # Sign in user as usual
+            remember_me(resource)
+            resource.after_database_authentication
+            success!(resource)
+          end
+        end
+
+        # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
+        # This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
+        # exist in the database if the password hashing algorithm is not called.
+        mapping.to.new.password = password if !hashed && Devise.paranoid
+        unless resource
+          Devise.paranoid ? fail(:invalid) : fail(:not_found_in_database)
+        end
+      end
+
+      private
+
+      #
+      # resource should be challenged for otp
+      #
+      def otp_challenge_required_on?(resource)
+        resource.respond_to?(:otp_enabled?) && resource.otp_enabled?
+      end
+
+      def otp_challenge_url
+        if Rails.env.development?
+          host = "#{request.host}:#{request.port}"
+        else
+          host = "#{request.host}"
+        end
+
+        path_fragments = ["otp", mapping.path_names[:credentials]]
+        if mapping.fullpath == "/"
+          path = mapping.fullpath + path_fragments.join("/")
+        else
+          path = path_fragments.prepend(mapping.fullpath).join("/")
+        end
+
+        request.protocol + host + path
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "0.5.0"
+    VERSION = "0.7.0"
   end
 end

data/lib/devise-otp.rb

@@ -9,6 +9,24 @@ require "active_support/concern"
 
 require "devise"
 
+#
+# define DeviseOtpAuthenticatable module, and autoload hooks and helpers
+#
+module DeviseOtpAuthenticatable
+  module Controllers
+    autoload :Helpers, "devise_otp_authenticatable/controllers/helpers"
+    autoload :UrlHelpers, "devise_otp_authenticatable/controllers/url_helpers"
+    autoload :PublicHelpers, "devise_otp_authenticatable/controllers/public_helpers"
+  end
+end
+
+require "devise_otp_authenticatable/routes"
+require "devise_otp_authenticatable/engine"
+require "devise_otp_authenticatable/hooks/refreshable"
+
+#
+# update Devise module with additions needed for DeviseOtpAuthenticatable
+#
 module Devise
   mattr_accessor :otp_mandatory
   @@otp_mandatory = false
@@ -49,22 +67,24 @@ module Devise
   mattr_accessor :otp_controller_path
   @@otp_controller_path = "devise"
 
+  #
+  # add PublicHelpers to helpers class variable to ensure that per-mapping helpers are present.
+  # this integrates with the "define_helpers," which is run when adding each mapping in the Devise gem (lib/devise.rb#541)
+  #
+  @@helpers << DeviseOtpAuthenticatable::Controllers::PublicHelpers
+
   module Otp
   end
-end
-
-module DeviseOtpAuthenticatable
-  autoload :Hooks, "devise_otp_authenticatable/hooks"
 
-  module Controllers
-    autoload :Helpers, "devise_otp_authenticatable/controllers/helpers"
-    autoload :UrlHelpers, "devise_otp_authenticatable/controllers/url_helpers"
-  end
 end
 
-require "devise_otp_authenticatable/routes"
-require "devise_otp_authenticatable/engine"
-
 Devise.add_module :otp_authenticatable,
   controller: :tokens,
   model: "devise_otp_authenticatable/models/otp_authenticatable", route: :otp
+
+#
+# add PublicHelpers after adding Devise module to ensure that per-mapping routes from above are included
+#
+ActiveSupport.on_load(:action_controller) do
+  include DeviseOtpAuthenticatable::Controllers::PublicHelpers
+end